summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* rootless cni without infra containerPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of creating an extra container create a network and mount namespace inside the podman user namespace. This ns is used to for rootless cni operations. This helps to align the rootless and rootful network code path. If we run as rootless we just have to set up a extra net ns and initialize slirp4netns in it. The ocicni lib will be called in that net ns. This design allows allows easier maintenance, no extra container with pause processes, support for rootless cni with --uidmap and possibly more. The biggest problem is backwards compatibility. I don't think live migration can be possible. If the user reboots or restart all cni containers everything should work as expected again. The user is left with the rootless-cni-infa container and image but this can safely be removed. To make the existing cni configs work we need execute the cni plugins in a extra mount namespace. This ensures that we can safely mount over /run and /var which have to be writeable for the cni plugins without removing access to these files by the main podman process. One caveat is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns` accessible. `XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`. To ensure that we keep the netns directory we bind mount this relative to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns before we mount the run directory. The run directory is mounted recursive, this makes the netns directory at the same path accessible as before. This also allows iptables-legacy to work because /run/xtables.lock is now writeable. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Should send the OCI runtime path not just the name to buildahDaniel J Walsh2021-03-31
| | | | | | | | | [NO TESTS NEEDED] Mainly because I have no idea how we would test this. Fixes: https://github.com/containers/podman/issues/9459 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #9881 from Luap99/net-reload-silence-errorsOpenShift Merge Robot2021-03-30
|\ | | | | Silence podman network reload errors with iptables-nft
| * Silence podman network reload errors with iptables-nftPaul Holzinger2021-03-30
| | | | | | | | | | | | | | | | | | | | | | | | Make sure we do not display the expected error when using podman network reload. This is already done for iptables-legacy however iptables-nft creates a slightly different error message so check for this as well. The error is logged at info level. [NO TESTS NEEDED] The test VMs do not use iptables-nft so there is no way to test this. It is already tested for iptables-legacy. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | [NO TESTS NEEDED] Shrink the size of podman-remoteDaniel J Walsh2021-03-29
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* [NO TESTS NEEDED] Fix for kernel without CONFIG_USER_NSなつき2021-03-26
| | | Signed-off-by: Natsuki <i@ntk.me>
* Use TMPDIR when commiting imagesDaniel J Walsh2021-03-26
| | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9825 Currently we are using TMPDIR for storaing temporary files when building images, but not when you directly commit the images. This change simply uses the TMPDIR environment variable if set to store temporary files. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #9810 from jmguzik/fix-impages-filter-http-apiOpenShift Merge Robot2021-03-25
|\ | | | | Fix filters list/prune in image http compat/libpod api endpoints
| * Fix filters in image http compat/libpod api endpointsJakub Guzik2021-03-25
| | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | libpod/image: unit tests: use a `registries.conf` for aliasesValentin Rothberg2021-03-25
| | | | | | | | | | | | | | | | | | | | Since some unit tests use "busybox", we need to point it to some alias if we want it to pass CI on F34 where we're running in enforced mode. Furthermore, make sure that the registries.conf can actually be overridden in the code. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | libpod/image: unit tests: defer cleanupValentin Rothberg2021-03-25
| | | | | | | | | | | | Defer cleaning up the test artifacts as early as possible. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | libpod/image: unit tests: use `require.NoError`Valentin Rothberg2021-03-25
| | | | | | | | | | | | | | | | In contrast to `assert.NoError`, `require.NoError` treats mismatches fatally which in many cases is necessary to prevent subsequent checks from segfaulting. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #9768 from mheon/fix_9608OpenShift Merge Robot2021-03-25
|\ \ | |/ |/| Ensure manually-created volumes have correct ownership
| * Ensure manually-created volumes have correct ownershipMatthew Heon2021-03-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As part of a fix for an earlier bug (#5698) we added the ability for Podman to chown volumes to correctly match the user running in the container, even in adverse circumstances (where we don't know the right UID/GID until very late in the process). However, we only did this for volumes created automatically by a `podman run` or `podman create`. Volumes made by `podman volume create` do not get this chown, so their permissions may not be correct. I've looked, and I don't think there's a good reason not to do this chwon for all volumes the first time the container is started. I would prefer to do this as part of volume copy-up, but I don't think that's really possible (copy-up happens earlier in the process and we don't have a spec). There is a small chance, as things stand, that a copy-up happens for one container and then a chown for a second, unrelated container, but the odds of this are astronomically small (we'd need a very close race between two starting containers). Fixes #9608 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | [NO TESTS NEEDED] Fix rootless volume pluginsPhoenix The Fallen2021-03-24
| | | | | | | | | | | | In a case of volume plugins with custom options. Signed-off-by: Phoenix The Fallen <thephoenixofthevoid@gmail.com>
* | Merge pull request #9785 from jmguzik/unification-of-label-filterOpenShift Merge Robot2021-03-24
|\ \ | | | | | | Unification of label and until filters across list/prune endpoints
| * | Unification of until filter across list/prune endpointsJakub Guzik2021-03-24
| | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
| * | Unification of label filter across list/prune endpointsJakub Guzik2021-03-24
| | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | Merge pull request #9749 from jwillikers/generate-kube-persistent-volume-claimOpenShift Merge Robot2021-03-23
|\ \ \ | | | | | | | | Generate Kubernetes PersistentVolumeClaims from named volumes
| * | | Generate Kubernetes PersistentVolumeClaims from named volumesJordan Williams2021-03-19
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #5788 This commit adds support for named volumes in podman-generate-kube. Named volumes are output in the YAML as PersistentVolumeClaims. To avoid naming conflicts, the volume name is suffixed with "-pvc". This commit adds a corresponding suffix for host path mounts. Host path volumes are suffixed with "-host". Signed-off-by: Jordan Williams <jordan@jwillikers.com>
* | | Merge pull request #9537 from TomSweeneyRedHat/dev/tsweeney/tz_checkOpenShift Merge Robot2021-03-23
|\ \ \ | |_|/ |/| | Validate passed in timezone from tz option
| * | Validate passed in timezone from tz optionTomSweeneyRedHat2021-03-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Erik Sjolund reported an issue where a badly formated file could be passed into the `--tz` option and then the date in the container would be badly messed up: ``` erik@laptop:~$ echo Hello > file.txt erik@laptop:~$ podman run --tz=../../../home/erik/file.txt --rm -ti docker.io/library/alpine cat /etc/localtime Hello erik@laptop:~$ podman --version podman version 3.0.0-rc1 erik@laptop:~$ ``` This fix checks to make sure the TZ passed in is a valid value and then proceeds with the rest of the processing. This was first reported as a potential security issue, but it was thought not to be. However, I thought closing the hole sooner rather than later would be good. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | | Merge pull request #9757 from jwhonce/wip/loadOpenShift Merge Robot2021-03-22
|\ \ \ | |/ / |/| | Cleanup /libpod/images/load handler
| * | Cleanup /libpod/images/load handlerJhon Honce2021-03-19
| |/ | | | | | | | | | | | | | | | | * Remove orphaned code * Add meaningful error from LoadImageFromSingleImageArchive() when heuristic fails to determine payload format * Correct swagger to output correct types and headers Signed-off-by: Jhon Honce <jhonce@redhat.com>
* / security: use the bounding caps with --privilegedGiuseppe Scrivano2021-03-19
|/ | | | | | | | | when --privileged is used, make sure to not request more capabilities than currently available in the current context. [NO TESTS NEEDED] since it fixes existing tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* network prune filters for http compat and libpod apiJakub Guzik2021-03-18
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* Do not leak libpod package into the remote clientPaul Holzinger2021-03-15
| | | | | | | | | | | | | | | | | | Some packages used by the remote client imported the libpod package. This is not wanted because it adds unnecessary bloat to the client and also causes problems with platform specific code(linux only), see #9710. The solution is to move the used functions/variables into extra packages which do not import libpod. This change shrinks the remote client size more than 6MB compared to the current master. [NO TESTS NEEDED] I have no idea how to test this properly but with #9710 the cross compile should fail. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Split libpod/network packagePaul Holzinger2021-03-15
| | | | | | | | | | | | The `libpod/network` package should only be used on the backend and not the client. The client used this package only for two functions so move them into a new `pkg/network` package. This is needed so we can put linux only code into `libpod/network`, see #9710. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #9668 from rhatdan/manOpenShift Merge Robot2021-03-10
|\ | | | | Document CONTAINERS_CONF/CONTAINERS_STORAGE_CONF Env variables
| * Document CONTAINERS_CONF/CONTAINERS_STORAGE_CONF Env variablesDaniel J Walsh2021-03-10
| | | | | | | | | | | | | | Also Switch to using CONTAINERS_REGISTRIES_CONF for registries.conf overrides. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9681 from rhatdan/rmOpenShift Merge Robot2021-03-10
|\ \ | |/ |/| Removing a non existing container API should return 404
| * Removing a non existing container API should return 404Daniel J Walsh2021-03-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we were overwrapping error returned from removal of a non existing container. $ podman rm bogus -f Error: failed to evict container: "": failed to find container "bogus" in state: no container with name or ID bogus found: no such container Removal of wraps gets us to. ./bin/podman rm bogus -f Error: no container with name or ID "bogus" found: no such container Finally also added quotes around container name to help make it standout when you get an error, currently it gets lost in the error. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9676 from giuseppe/cli-overrides-confOpenShift Merge Robot2021-03-10
|\ \ | |/ |/| options: append CLI graph driver options
| * options: append CLI graph driver optionsGiuseppe Scrivano2021-03-09
| | | | | | | | | | | | | | | | | | | | | | if --storage-opt are specified on the CLI append them after what is specified in the configuration files instead of overriding it. Closes: https://github.com/containers/podman/issues/9657 [NO TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #9677 from vrothberg/fix-9672OpenShift Merge Robot2021-03-09
|\ \ | | | | | | podman load: fix error handling
| * | podman load: fix error handlingValentin Rothberg2021-03-09
| |/ | | | | | | | | | | | | | | Make sure to properly return loading errors and to set the exit code accordingly. Fixes: #9672 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman cp: evaluate symlink correctly when copying from containerValentin Rothberg2021-03-09
| | | | | | | | | | | | | | | | When copying from a container, make sure to evaluate the symlinks correctly. Add tests copying a symlinked directory from a running and a non-running container to execute both path-resolution paths. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman cp: fix ownershipValentin Rothberg2021-03-09
| | | | | | | | | | | | | | | | Make sure the files are chowned to the host/container user, depending on where things are being copied to. Fixes: #9626 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman cp: ignore EPERMs in rootless modeValentin Rothberg2021-03-09
|/ | | | | | | | | | | | Ignore permission errors when copying from a rootless container. TTY devices inside rootless containers are owned by the host's root user which is "nobody" inside the container's user namespace rendering us unable to even read them. Enable the integration test which was temporarily disabled for rootless users. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* allow the removal of storage imagesDaniel J Walsh2021-03-08
| | | | | | | | Sometimes if the system crashes while an image is being pulled containers/storage can get into a bad state. This PR allows the user to call into container storage to remove the image. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #9649 from rhatdan/kubeOpenShift Merge Robot2021-03-08
|\ | | | | Allow users to generate a kubernetes yaml off non running containers
| * Allow users to generate a kubernetes yaml off non running containersDaniel J Walsh2021-03-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently if you attempt to create a kube.yaml file off of a non running container where the container runs as a specific User, the creation fails because the storage container is not mounted. Podman is supposed to read the /etc/passwd entry inside of the container but since the container is not mounted, the c.State.Mountpoint == "". Podman incorrectly attempts to read /etc/passwd on the host, and fails if the specified user is not in the hosts /etc/passwd. This PR mounts the storage container, if it was not mounted so the read succeeds. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | turn hidden --trace into a NOPValentin Rothberg2021-03-08
|/ | | | | | | | | | The --trace has helped in early stages analyze Podman code. However, it's contributing to dependency and binary bloat. The standard go tooling can also help in profiling, so let's turn `--trace` into a NOP. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #9647 from mlegenovic/masterOpenShift Merge Robot2021-03-07
|\ | | | | Compat API: Fix the response of 'push image' endpoint
| * Correct compat images/{name}/push responseMilivoje Legenovic2021-03-07
| | | | | | | | Signed-off-by: Milivoje Legenovic <m.legenovic@gmail.com>
* | separate file with mount consts in libpod/defineJakub Guzik2021-03-07
| | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | Merge pull request #9624 from mheon/fix_9615OpenShift Merge Robot2021-03-05
|\ \ | | | | | | [NO TESTS NEEDED] Do not return from c.stop() before re-locking
| * | Do not return from c.stop() before re-lockingMatthew Heon2021-03-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unlocking an already unlocked lock is a panic. As such, we have to make sure that the deferred c.lock.Unlock() in c.StopWithTimeout() always runs on a locked container. There was a case in c.stop() where we could return an error after we unlock the container to stop it, but before we re-lock it - thus allowing for a double-unlock to occur. Fix the error return to not happen until after the lock has been re-acquired. Fixes #9615 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #9593 from vrothberg/cp-tmpOpenShift Merge Robot2021-03-05
|\ \ \ | |_|/ |/| | podman cp: support copying on tmpfs mounts
| * | podman cp: support copying on tmpfs mountsValentin Rothberg2021-03-04
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Traditionally, the path resolution for containers has been resolved on the *host*; relative to the container's mount point or relative to specified bind mounts or volumes. While this works nicely for non-running containers, it poses a problem for running ones. In that case, certain kinds of mounts (e.g., tmpfs) will not resolve correctly. A tmpfs is held in memory and hence cannot be resolved relatively to the container's mount point. A copy operation will succeed but the data will not show up inside the container. To support these kinds of mounts, we need to join the *running* container's mount namespace (and PID namespace) when copying. Note that this change implies moving the copy and stat logic into `libpod` since we need to keep the container locked to avoid race conditions. The immediate benefit is that all logic is now inside `libpod`; the code isn't scattered anymore. Further note that Docker does not support copying to tmpfs mounts. Tests have been extended to cover *both* path resolutions for running and created containers. New tests have been added to exercise the tmpfs-mount case. For the record: Some tests could be improved by using `start -a` instead of a start-exec sequence. Unfortunately, `start -a` is flaky in the CI which forced me to use the more expensive start-exec option. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>